AntiSec target learns the hard way that whitelists > blacklists

IRC Federal, an IT contractor providing services to the US government, …

Servers belonging to IRC Federal, a West Virginia IT company whose clientele included NASA, the Departments of Justice and Defense, and the US Army and Navy, have been broken into, with documents, databases, and e-mails published in yet another hack performed under the AntiSec banner.

The announcement of the hack and release of the documents was named "Fuck FBI Friday II." The original Fuck FBI Friday was Lulz Security's announcement that it had hacked a local affiliate of the FBI's cybercrime community InfraGard. IRC Federal's connection with the FBI is rather more tenuous—the company is privately held, providing services to the government.

Same old story

The description of how the hack was performed is one that is now all too familiar. The simple content management system used by IRC Federal's website included an SQL injection vulnerability, which was used to read information from the database powering the site. This database included the user accounts for employees allowed to update the site, as well as their unencrypted passwords. With administrator access to the site, the CMS permitted the hackers to upload custom script files—it included rudimentary protection against uploading scripts, but this protection used a blacklist of forbidden file types, rather than a more secure whitelist of permitted types. The use of a blacklist enabled the hackers to find a script file type that the CMS didn't block; with their script running on the server, they could subsequently perform further attacks, such as exploiting flaws in the operating system to elevate their privileges.

The Web server now compromised, the hackers could examine other internal systems, including a phpBB message board. Several of the passwords used in the phpBB system were easily cracked, and some of these cracked passwords were also found to be used by IRC Federal employees for their e-mail. This gave the hackers access to at least two e-mail accounts; those of IRC Federal Vice Presidents Bill Hunt and Greg Stine.

Some time after the hack was made public, the machine hosting IRC Federal's site was taken down. It remains offline. The rudimentary security failings are likely to prove an embarrassment for the company. The company boasted on the site that its "engineers and specialists have built Web and Internet security solutions since the earliest beginnings of the World Wide Web." Perhaps the company's public-facing website was not sufficiently important to justify bringing IRC Federal's own expertise to bear on it, but as was the case with HBGary, breaking into one system can often provide hackers with the information or access they need to get into other systems.

Awash in a sea of documentation

The data that was published is largely, if not completely, mundane. Most of the databases appear to be old backups or replicas of the databases used to operate other sites developed or maintained by IRC Federal and/or employee Bobby Williams. A common theme to these databases is the use of plaintext passwords, indicating that IRC Federal's own website is not the only one to store passwords so unsafely. Other databases include an ancient timesheet system, abandoned in 2003, and the aforementioned phpBB database.

The documents that were taken give a glimpse of just how much paperwork is needed for government procurement. There are requests for proposals from various federal bodies, and IRC Federal's responses to those requests. The project with the most documentation is a NASA project, to provide support to NASA's Software Assurance Tools (SWAT) group. This is nothing if not innocuous; SWAT is looking for companies to provide management, training, and development of tools to improve its software engineering efforts.

FBI involvement

The proposal that has apparently been most shocking is an FBI project named "Special Identities Modernization" (SIM), created by the FBI's "Special Identities Unit" (SIU). SIU's mission is to "reduce terrorist and criminal activity by protecting all records associated with trusted individuals and revealing the identities of those individuals who may pose serious risk to the United States and its allies." A statement of work outlining the project and the requirements that proposals must fill were found in Bill Hunt's documents.

SIU wants to make the management of its identity data more efficient and effective, and to do this it is seeking to perform a major redesign of its IT systems; in particular, a system named SYS1, which stores all the information about people of interest to the FBI. SYS1 currently stores its information in an SQL Server 2000 database, and has a Visual Basic.NET front-end; SIU wants to replace this with a new system built using C# and ASP.NET. The new SYS1 must also support integration with other FBI systems such as the Biometric Collection Integrated Platform (BCIP); a mobile system to send and receive biometric data to allow in-the-field identification of individuals encountered by the FBI.

As with the rest of the data, this is a very ordinary project; it's not extraordinary that the FBI might have biometric data—things like photographs, fingerprints, or even DNA—of both its own agents and criminals. The fact that it has a system to ensure the effective protection or dissemination of this information, as appropriate, is not at all surprising. The HBGary Federal hack revealed a range of project proposals by HBGary Federal and its partners to attack the credibility of WikiLeaks and develop rootkits and backdoors for the government. Though these proposals don't appear to have ever come to fruition, they created an aura of mystery and intrigue—it was a cloak and dagger tale for the 21st century. With IRC Federal, however, the story is one of paperwork. Reams of it.

Not that this mundanity bothers the forces of AntiSec, as its press release makes clear:

Before we begin the drop, a personal message to the employees of IRC Federal:

If you place any value on freedom, then stop working for the oligarchy and start working against it. Stop aiding the corporations and a government which uses unethical means to corner vast amounts of wealth and proceed to flagrantly abuse their power. Together, we have the power to change this world for the better.

The viewpoint is black-or-white, good-or-evil, us-or-them, with no room for nuance or shades of gray: any and all collaboration with government is unacceptable, and "aiding" the government makes one a target.

Speaking to the New York Times, IRC Federal had no comment to make, other than to say that the FBI has been notified of the crime perpetrated against them. The FBI, in turn, made no comment at all.